This ‘invisible’ memory-based malware is infiltrating organisations across the globe

February 9, 2017 – 4:53 AM

Cybercriminals are launching ‘invisible’ attacks to infiltrate the networks of organisations to steal login credentials and financial data — and the only tool they’re using is legitimate software.

It’s thought that over 140 organisations including banks, telecommunications companies, and government organisations across the globe have fallen victim to these hidden malware attacks.

Discovered by cybersecurity researchers at Kaspersky Lab, the attacks use widely-available tools, including penetration-testing and administration software as well as the PowerShell framework for task automation in Windows, to hide malware in victims’ computer memory, instead of the more traditional tactic of dropping it onto the hard drive.

This form of attack leaves investigators with almost no evidence that an attack took place, and any indication of an incident is removed when the system is rebooted.

The discovery came after Kaspersky Lab was contacted by banks which had found Meterpreter penetration-testing software in the memory of their servers when it wasn’t supposed to be in that location.

Meterpreter had its code combined with legitimate PowerShell scripts and other utilities, with the aim of stealing administrator passwords and remotely controlling machines and systems. All of these factors indicate the attackers are attempting to make off with credentials about financial processes.

This ‘invisible’ method of attack makes it difficult to uncover details about incidents because a lack of traces of hacker activity mean the normal processes of incident response don’t apply.